{"id":25616,"date":"2024-12-27T11:20:54","date_gmt":"2024-12-27T19:20:54","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/12\/27\/news-19345\/"},"modified":"2024-12-27T11:20:54","modified_gmt":"2024-12-27T19:20:54","slug":"news-19345","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/12\/27\/news-19345\/","title":{"rendered":"Prioritizing patching: A deep dive into frameworks and tools &#8211; Part 1: CVSS"},"content":{"rendered":"<p><strong>Credit to Author: Matt Wixey| Date: Fri, 27 Dec 2024 17:33:53 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Back in August 2022, Sophos X-Ops published <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/08\/09\/multiple-attackers-increase-pressure-on-victims-complicate-incident-response\/\" target=\"_blank\" rel=\"noopener\">a white paper on multiple attackers<\/a> \u2013 that is, adversaries targeting the same organizations multiple times. One of our key recommendations in that research was to prevent repeated attacks by \u2018prioritizing the worst bugs first\u2019: patching critical or high-profile vulnerabilities that could affect users\u2019 specific software stacks. While we think this is still good advice, prioritization is a complex issue. How do you know what the worst bugs are? And how do you actually prioritize remediation, given that resources are more or less the same but the number of published CVEs per year <a href=\"https:\/\/www.cvedetails.com\/browse-by-date.php\" target=\"_blank\" rel=\"noopener\">continues to increase<\/a>, from 18,325 in 2020, to 25,277 in 2022, to 29,065 in 2023? And according to <a href=\"https:\/\/learn-cloudsecurity.cisco.com\/vulnerability-management-resources\/vmc\/prioritization-to-prediction-volume-8\" target=\"_blank\" rel=\"noopener\">recent research<\/a>, the median remediation capacity across organizations is 15% of open vulnerabilities in any given month.<\/p>\n<p>A common approach is to prioritize patching by severity (or by <em>risk,<\/em> a distinction we\u2019ll clarify later) using CVSS scores. FIRST\u2019s <a href=\"https:\/\/www.first.org\/cvss\/\" target=\"_blank\" rel=\"noopener\">Common Vulnerabilities Scoring System<\/a> has been around for a long time, provides a numerical ranking of vulnerability severity between 0.0 and 10.0, and is not only widely used for prioritization but mandated in some industries and governments, including the <a href=\"https:\/\/listings.pcisecuritystandards.org\/pdfs\/pci_dss_technical_and_operational_requirements_for_approved_scanning_vendors_ASVs_v1-1.pdf\" target=\"_blank\" rel=\"noopener\">Payment Card Industry<\/a> (PCI) and <a href=\"https:\/\/www.fedramp.gov\/assets\/resources\/documents\/CSP_Vulnerability_Scanning_Requirements.pdf\" target=\"_blank\" rel=\"noopener\">parts of the US federal government<\/a>.<\/p>\n<p>As for how it works, it\u2019s deceptively simple. You plug in details about a vulnerability, and out comes a number which tells you whether the bug is Low, Medium, High, or Critical. So far, so straightforward; you weed out the bugs that don\u2019t apply to you, focus on patching the Critical and High vulnerabilities out of what\u2019s left, and either patch the Mediums and Lows afterwards or accept the risk. Everything is on that 0-10 scale, so in theory this is easy to do.<\/p>\n<p>But there\u2019s more nuance to it than that. In this article, the first of a two-part series, we\u2019ll take a look at what goes on under the hood of CVSS, and explain why it isn\u2019t necessarily all that useful for prioritization by itself. In the second part, we\u2019ll discuss some alternative schemes which can provide a more complete picture of risk to inform prioritization.<\/p>\n<p>Before we start, an important note. While we\u2019ll discuss some issues with CVSS in this article, we are very conscious that creating and maintaining a framework of this type is hard work, and to some degree a thankless task. CVSS comes in for a lot of criticism, some pertaining to inherent issues with the concept, and some to the ways in which organizations use the framework. But we should point out that CVSS is not a commercial, paywalled tool. It is made free for organizations to use as they see fit, with the intent of providing a useful and practical guide to vulnerability severity and therefore helping organizations to improve their response to published vulnerabilities. It continues to undergo improvements, often in response to external feedback. Our motivation in writing these articles is not in any way to disparage the CVSS program or its developers and maintainers, but to provide additional context and guidance around CVSS and its uses, specifically with regards to remediation prioritization, and to contribute to a wider discussion around vulnerability management.<\/p>\n<h1>What is CVSS?<\/h1>\n<p>CVSS is \u201ca way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity,\u201d <a href=\"https:\/\/www.first.org\/cvss\/\" target=\"_blank\" rel=\"noopener\">according to FIRST<\/a>. That numerical score, as mentioned earlier, is between 0.0 and 10.0, giving 101 possible values; it can then be turned into a qualitative measure using the following scale:<\/p>\n<ul>\n<li><em>None: 0.0<\/em><\/li>\n<li><em>Low: 0.1 \u2013 3.9<\/em><\/li>\n<li><em>Medium: 4.0 \u2013 6.9<\/em><\/li>\n<li><em>High: 7.0 \u2013 8.9<\/em><\/li>\n<li><em>Critical: 9.0 \u2013 10.0<\/em><\/li>\n<\/ul>\n<p>The system has been around since February 2005, when version 1 was released; v2 came out in June 2007, followed by v3 in June 2015. v3.1, released in June 2019, has some minor amendments from v3, and v4 was published on October 31, 2023. Because CVSS v4 <a href=\"https:\/\/discuss.rapid7.com\/t\/cvss-4-0-when\/29354\" target=\"_blank\" rel=\"noopener\">has not yet been widely adopted<\/a> as of this writing (e.g., the National Vulnerability Database (NVD) and many vendors <a href=\"https:\/\/news.sophos.com\/en-us\/tag\/patch-tuesday\/\" target=\"_blank\" rel=\"noopener\">including Microsoft<\/a> are still predominantly using v3.1), we will look at both versions in this article.<em>\u00a0<\/em><\/p>\n<p>CVSS is the de facto standard for representing vulnerability severity. It appears on CVE entries in the NVD as well as in various other vulnerability databases and feeds. The idea is that it produces a single, standardized, platform-agnostic score.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/Figure-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-959061\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/Figure-1.png\" alt=\"\" width=\"602\" height=\"292\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/Figure-1.png 602w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/Figure-1.png?resize=300,146 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/a><\/p>\n<p><em>Figure 1: The entry for CVE-2023-30063 on the NVD. Note the v3.1 Base Score (7.5, High) and the vector string, which we\u2019ll cover in more detail shortly. Also note that as of March 2024, the NVD does not incorporate CVSS v4 scores<\/em><\/p>\n<p>The figure most providers use is the Base Score, which reflects a vulnerability\u2019s intrinsic properties and its potential impacts. Calculating a score involves assessing a vulnerability via two sub-categories, each with its own vectors which feed into the overall equation.<\/p>\n<p>The first subcategory is Exploitability, which contains the following vectors (possible values are in brackets) in CVSS v4:<\/p>\n<ul>\n<li>Attack Vector (Network, Adjacent, Local, Physical)<\/li>\n<li>Attack Complexity (Low, High)<\/li>\n<li>Attack Requirements (None, Present)<\/li>\n<li>Privileges Required (None, Low, High)<\/li>\n<li>User Interaction (None, Passive, Active)<\/li>\n<\/ul>\n<p>The second category is Impact. Each of the vectors below have the same three possible values (High, Low, and None):<\/p>\n<ul>\n<li>Vulnerable System Confidentiality<\/li>\n<li>Subsequent System Confidentiality<\/li>\n<li>Vulnerable System Integrity<\/li>\n<li>Subsequent System Integrity<\/li>\n<li>Vulnerable System Availability<\/li>\n<li>Subsequent System Availability<\/li>\n<\/ul>\n<p>So how do we get to an actual number after supplying these values? In v3.1, as shown in <a href=\"https:\/\/www.first.org\/cvss\/v3.1\/specification-document\" target=\"_blank\" rel=\"noopener\">FIRST\u2019s CVSS specification document<\/a>, the metrics (slightly different to the v4 metrics listed above) have an associated numerical value:<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/Figure-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-959062\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/Figure-2.png\" alt=\"\" width=\"602\" height=\"337\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/Figure-2.png 602w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/Figure-2.png?resize=300,168 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/a><\/p>\n<p><em>Figure 2: An excerpt from FIRST\u2019s CVSS v3.1 documentation, showing the numerical values of various metrics<\/em><\/p>\n<p>To calculate the v3.1 Base score, we first calculate three sub-scores: an Impact Sub-Score (ISS), an Impact Score (which uses the ISS), and an Exploitability Score.<\/p>\n<p><strong>Impact Sub-Score<\/strong><\/p>\n<p>1 \u2013 [(1 \u2013 Confidentiality) * (1 \u2013 Integrity) * (1 \u2013 Availability)]<\/p>\n<p><strong>Impact Score<\/strong><\/p>\n<ul>\n<li>If scope is unchanged, 42 * ISS<\/li>\n<li>If scope is changed, 52 * (ISS \u2013 0.029) \u2013 3.25 * (ISS \u2013 0.02)<sup>15<\/sup><\/li>\n<\/ul>\n<p><strong>Exploitability Score<\/strong><\/p>\n<p>8.22 * AttackVector * AttackComplexity * PrivilegesRequired * UserInteraction<\/p>\n<p><strong>Base Score<\/strong><\/p>\n<p>Assuming the Impact Score is greater than 0:<\/p>\n<ul>\n<li>If scope is unchanged: (Roundup (Minimum [(Impact + Exploitability), 10])<\/li>\n<li>If scope is changed: Roundup (Minimum [1.08 * (Impact + Exploitability), 10])<\/li>\n<\/ul>\n<p>Here, the equation uses two custom functions, Roundup and Minimum. Roundup \u201creturns the smallest number, specified to one decimal place, that is equal to or higher than its input,\u201d and Minimum \u201creturns the smaller of its two arguments.\u201d<\/p>\n<p>Given that CVSS is an open-source specification, we can work through an example of this manually, using the v3.1 vector string for CVE-2023-30063 shown in Figure 1:<\/p>\n<p>CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N<\/p>\n<p>We\u2019ll look up the vector results and their associated numerical values, so we know what numbers to plug into the equations:<\/p>\n<ul>\n<li>Attack Vector = Network = 0.85<\/li>\n<li>Attack Complexity = Low = 0.77<\/li>\n<li>Privileges Required = None = 0.85<\/li>\n<li>User Interaction = None = 0.85<\/li>\n<li>Scope = Unchanged (no associated value in itself; instead, Scope can modify other vectors)<\/li>\n<li>Confidentiality = High = 0.56<\/li>\n<li>Integrity = None = 0<\/li>\n<li>Availability = None = 0<\/li>\n<\/ul>\n<p>First, we calculate the ISS:<\/p>\n<p>1 \u2013 [(1 \u2013 0.56) * (1 \u2013 0) * (1 \u2013 0] = 0.56<\/p>\n<p>The Scope is unchanged, so for the Impact score we multiply the ISS by 6.42, which gives us <strong>3.595<\/strong>.<\/p>\n<p>The Exploitability score is 8.22 * 0.85 * 0.77 * 0.85 * 0.85, which gives us <strong>3.887<\/strong>.<\/p>\n<p>Finally, we put this all into the Base Score equation, which effectively adds these two scores together, giving us <strong>7.482<\/strong>. To one decimal place this is <strong>7.5<\/strong>, as per the CVSS v3.1 score on NVD, which means this vulnerability is considered to be High severity.<\/p>\n<p><a href=\"https:\/\/www.first.org\/cvss\/v4.0\/specification-document\" target=\"_blank\" rel=\"noopener\">v4 takes a very different approach<\/a>. Among other changes, the Scope metric has been retired; there is a new Base metric (Attack Requirements); and the User Interaction now has more granular options. But the most radical change is the scoring system. Now, the calculation method no longer relies on \u2018magic numbers\u2019 or a formula. Instead, \u2018equivalence sets\u2019 of different combinations of values have been ranked by experts, compressed, and put into bins representing scores. When calculating a CVSS v4 score, the vector is computed and the associated score returned, using <a href=\"https:\/\/github.com\/FIRSTdotorg\/cvss-v4-calculator\/blob\/main\/cvss_lookup.js\" target=\"_blank\" rel=\"noopener\">a lookup table<\/a>. So, for example, a vector of 202001 has an associated score of 6.4 (Medium).<\/p>\n<p>Regardless of the calculation method, the Base Score isn\u2019t supposed to change over time, since it relies on characteristics inherent to the vulnerability. However, the v4 specification also offers three other metric groups: Threat (the characteristics of a vulnerability that change over time); Environmental (characteristics that are unique to a user\u2019s environment); and Supplemental (additional extrinsic attributes).<\/p>\n<p>The Threat Metric Group includes only one metric (Exploit Maturity); this replaces the Temporal Metric Group from v3.1, which included metrics for Exploit Code Maturity, Remediation Level, and Report Confidence. The Exploit Maturity metric is designed to reflect the likelihood of exploitation, and has four possible values:<\/p>\n<ul>\n<li>Not Defined<\/li>\n<li>Attacked<\/li>\n<li>Proof-of-Concept<\/li>\n<li>Unreported<\/li>\n<\/ul>\n<p>Whereas the Threat Metric Group is designed to add additional context to a Base score based on threat intelligence, the Environmental Metric Group is more of a variation of the Base score, allowing an organization to customize the score \u201cdepending on the importance of the affected IT asset to a user\u2019s organization.\u201d This metric contains three sub-categories (Confidentiality Requirement, Integrity Requirement, and Availability Requirement), plus the modified Base metrics. The values and definitions are the same as the Base metrics, but the modified metrics allow users to reflect mitigations and configurations which may increase or decrease severity. For example, the default configuration of a software component might not implement authentication, so a vulnerability in that component would have a Base metric of None for the Privileges Required measure. However, an organization might have protected that component with a password in their environment, in which case the Modified Privileges Required would be either Low or High, and the overall Environmental score for that organization would therefore be lower than the Base score.<\/p>\n<p>Finally, the Supplemental Metric Group includes the following optional metrics, which don\u2019t affect the score.<\/p>\n<ul>\n<li>Automatable<\/li>\n<li>Recovery<\/li>\n<li>Safety<\/li>\n<li>Value Density<\/li>\n<li>Vulnerability Response Effort<\/li>\n<li>Provider Urgency<\/li>\n<\/ul>\n<p>It remains to be seen how widely used the Threat and Supplemental Metric Groups will be in v4. With v3.1, Temporal metrics rarely appear on vulnerability databases and feeds, and Environmental metrics are intended to be used on a per-infrastructure basis, so it\u2019s not clear how widely adopted they are.<\/p>\n<p>However, Base scores are ubiquitous, and at first glance it\u2019s not hard to see why. Even though a lot has changed in v4, the fundamental nature of the outcome \u2013 a figure between 0.0 and 10.0, which purportedly reflects a vulnerability\u2019s severity \u2013 is the same.<\/p>\n<p>The system has, however, come in for some criticism.<\/p>\n<h1>The downsides of CVSS<\/h1>\n<h2>What does a CVSS score mean?<\/h2>\n<p>This isn\u2019t a problem inherent to the CVSS specification, but there can be some confusion as to what a CVSS score actually <em>means<\/em>, and what it should be used for<em>. <\/em>As<a href=\"https:\/\/dl.acm.org\/doi\/full\/10.1145\/3491263\" target=\"_blank\" rel=\"noopener\"> Howland points out<\/a>, the <a href=\"https:\/\/www.first.org\/cvss\/v2\/guide\" target=\"_blank\" rel=\"noopener\">specification for CVSS v2<\/a> is clear that the framework\u2019s purpose is risk management:<\/p>\n<p><em>\u201cCurrently, IT management must identify and assess vulnerabilities across many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored using different scales, how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue.\u201d <\/em><\/p>\n<p>The word \u2018risk\u2019 appears 21 times in the v2 specification; \u2018severity\u2019 only three. By the v4 specification, these numbers have effectively reversed; \u2018risk\u2019 appears three times, and \u2018severity\u2019 41 times. The first sentence of the v4 specification states that the purpose of the framework is \u201ccommunicating the characteristics and severity of software vulnerabilities.\u201d So, at some point, the stated purpose of CVSS has changed, from a measure of risk to a measure of severity.<\/p>\n<p>That\u2019s not a \u2018gotcha\u2019 in any way; the authors may have simply decided to clarify exactly what CVSS is for, to prevent or address misunderstandings. The real issue here doesn\u2019t lie in the framework itself, but in the way it is sometimes implemented. Despite the clarifications in recent specifications, CVSS scores may still sometimes be (mis)used as a measure of <em>risk<\/em> (i.e., <a href=\"https:\/\/www.isaca.org\/resources\/isaca-journal\/past-issues\/2014\/an-enhanced-risk-formula-for-software-security-vulnerabilities#:~:text=Risk%20is%20the%20combination%20of,%3A%20Risk%20%3D%20Likelihood%20%C3%97%20Impact.\" target=\"_blank\" rel=\"noopener\">\u201cthe combination of the probability of an event and its consequences,\u201d<\/a> or, as per the oft-cited formula, Threat * Vulnerability * Consequence), but they don\u2019t actually measure risk at all. They measure <em>one<\/em> <em>aspect<\/em> of risk, in assuming that an attacker \u201chas already located and identified the vulnerability,\u201d and in assessing the characteristics and potential impact of that vulnerability <em>if<\/em> an exploit is developed, and <em>if<\/em> that exploit is effective, and <em>if<\/em> the reasonable worst-case scenario occurs as a result.<\/p>\n<p>A CVSS score can be a piece of the puzzle, but by no means the completed jigsaw. While it may be nice to have a single number on which to base decisions, risk is a far more complex game.<\/p>\n<h2>But I can still use it for prioritization, right?<\/h2>\n<p>Yes and no. Despite the increasing numbers of published CVEs (and it\u2019s worth pointing out that not all vulnerabilities receive CVE IDs, so that\u2019s not a completed jigsaw either), only a <a href=\"https:\/\/academic.oup.com\/cybersecurity\/article\/6\/1\/tyaa015\/5905457\" target=\"_blank\" rel=\"noopener\">small fraction<\/a> \u2013 <a href=\"https:\/\/i.blackhat.com\/USA-19\/Thursday\/us-19-Roytman-Jacobs-Predictive-Vulnerability-Scoring-System.pdf\" target=\"_blank\" rel=\"noopener\">between 2% and 5%<\/a> &#8211; are ever detected as being exploited in-the-wild, according to research. So, if a vulnerability intelligence feed tells you that 2,000 CVEs have been published this month, and 1,000 of them affect assets in your organization, only around 20-50 of those will likely ever be exploited (that we\u2019ll know about).<\/p>\n<p>That\u2019s the good news. But, leaving aside any exploitation that occurs before a CVE\u2019s publication, we don\u2019t know <em>which<\/em> CVEs threat actors will exploit in the future, or when \u2013 so how can we know which vulnerabilities to patch first? One might assume that threat actors use a similar thought process to CVSS, albeit less formalized, to develop, sell, and use exploits: emphasizing high-impact vulnerabilities with low complexity. In which case, prioritizing high CVSS scores for remediation makes perfect sense.<\/p>\n<p>But researchers have shown that CVSS (at least, up to v3) is an unreliable predictor of exploitability. Back in 2014, <a href=\"https:\/\/dl.acm.org\/doi\/10.1145\/2630069\" target=\"_blank\" rel=\"noopener\">researchers at the University of Trento<\/a> claimed that \u201cfixing a vulnerability just because it was assigned a high CVSS score is equivalent to randomly picking vulnerabilities to fix,\u201d based on an analysis of publicly available data on vulnerabilities and exploits. More recently (March 2023), Howland\u2019s research on CVSS shows that bugs with a CVSS v3 score of 7 are the most likely to be weaponized, in a sample of over 28,000 vulnerabilities. Vulnerabilities with scores of 5 were more likely to be weaponized than those with scores of 6, and 10-rated vulnerabilities \u2013 Critical flaws \u2013 were less likely to have exploits developed for them than vulnerabilities ranked as 9 or 8.<\/p>\n<p>In other words, there does not appear to be a correlation between CVSS score and the likelihood of exploitation, and, according to Howland, that\u2019s still the case even if we weight relevant vectors \u2013 like Attack Complexity or Attack Vector \u2013 more heavily (although it remains to be seen if this will still hold true with CVSS v4).<\/p>\n<p>This is a counterintuitive finding. As the authors of the Exploit Prediction Scoring System (EPSS) <a href=\"https:\/\/www.first.org\/epss\/user-guide\" target=\"_blank\" rel=\"noopener\">point out<\/a> (more on EPSS in our follow-up article), after plotting CVSS scores against EPSS scores and finding less correlation than expected:<\/p>\n<p><em>\u201cthis\u2026provides suggestive evidence that attackers are not only targeting vulnerabilities that produce the greatest impact, or are necessarily easier to exploit (such as for example, an unauthenticated remote code execution).\u201d<\/em><\/p>\n<p>There are various reasons why the assumption that attackers are most interested in exploiting exploits for severe, low-effort vulnerabilities doesn\u2019t hold up. As with risk, the criminal ecosystem can\u2019t be reduced to a single facet. Other factors which might affect the likelihood of weaponization include the install base of the affected product; prioritizing certain impacts or product families over others; differences by crime type and motivation; geography, and so on. This is a complex, and separate, discussion, and out of scope for this article \u2013 but, <a href=\"https:\/\/theoryof.predictable.software\/articles\/a-closer-look-at-cvss-scores\/\" target=\"_blank\" rel=\"noopener\">as Jacques Chester argues<\/a> in a thorough and thought-provoking blog post on CVSS, the main takeaway is: \u201cAttackers do not appear to use CVSSv3.1 to prioritize <em>their<\/em> efforts. Why should defenders?\u201d Note, however, that Chester doesn\u2019t go so far as to argue that CVSS should not be used at all. But it probably shouldn\u2019t be the sole factor in prioritization.<\/p>\n<h2>Reproducibility<\/h2>\n<p>One of the litmus tests for a scoring framework is that, given the same information, two people should be able to work through the process and come out with approximately the same score. In a field as complex as vulnerability management, where subjectivity, interpretation, and technical understanding often come into play, we might reasonably expect a degree of deviation \u2013 but <a href=\"https:\/\/arxiv.org\/pdf\/1808.06547.pdf\" target=\"_blank\" rel=\"noopener\">a 2018 study<\/a> showed significant discrepancies in assessing the severity of vulnerabilities using CVSS metrics, even among security professionals, which could result in a vulnerability being eventually classified as High by one analyst and Critical or Medium by another.<\/p>\n<p>However, as FIRST points out in its specification document, its intention is that CVSS Base scores should be calculated by vendors or vulnerability analysts. In the real world, Base scores typically appear on public feeds or databases which organizations then ingest \u2013 they\u2019re not intended to be recalculated by lots of individual analysts. That\u2019s reassuring, although the fact that experienced security professionals made, in some cases at least, quite different assessments could be a cause for concern. It\u2019s not clear whether that was a consequence of ambiguity in CVSS definitions, or a lack of CVSS scoring experience among the study\u2019s participants, or a wider issue relating to divergent understanding of security concepts, or some or all of the above. Further research is probably needed on this point, and on the extent to which this issue still applies in 2024, and to CVSS v4.<\/p>\n<h2>Harm<\/h2>\n<p>CVSS v3.1\u2019s impact metrics are limited to those associated with traditional vulnerabilities in traditional environments: the familiar CIA triad. What v3.1 does not take into account are more recent developments in security, where attacks against systems, devices, and infrastructure can cause significant physical harm to people and property.<\/p>\n<p>However, v4 does address this issue. It includes a dedicated Safety metric, with the following possible values:<\/p>\n<ul>\n<li>Not Defined<\/li>\n<li>Present<\/li>\n<li>Negligible<\/li>\n<\/ul>\n<p>With the latter two values, the framework uses the <a href=\"https:\/\/webstore.ansi.org\/standards\/iec\/iec61508eden2010cmv\">IEC 61508<\/a> standard definitions of \u201cnegligible\u201d (minor injuries at worst), \u201cmarginal\u201d (major injuries to one or more persons), \u201ccritical\u201d (loss of a single life), or \u201ccatastrophic\u201d (multiple loss of life). The Safety metric can also be applied to the modified Base metrics within the Environmental Metric Group, for the Subsequent System Impact set.<\/p>\n<h2>Context is everything<\/h2>\n<p>CVSS does its best to keep everything as simple as possible, which can sometimes mean reducing complexity. Take v4\u2019s Attack Complexity, for example; the only two possible values are Low and High.<\/p>\n<p style=\"padding-left: 40px\">Low: <em>\u201cThe attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.\u201d<\/em><\/p>\n<p style=\"padding-left: 40px\">High: <em>\u201cThe successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack [\u2026].\u201d<\/em><\/p>\n<p>Some threat actors, vulnerability analysts, and vendors would likely disagree with the view that a vulnerability is either of \u2018low\u2019 or \u2018high\u2019 complexity. However, members of the FIRST Special Interest Group (SIG) <a href=\"https:\/\/csrc.nist.gov\/csrc\/media\/Presentations\/2023\/update-on-cvss-4-0\/jan-25-2023-ssca-dugal-rich.pdf\" target=\"_blank\" rel=\"noopener\">claim that this has been addressed in v4 with the new Attack Requirements metric<\/a>, which adds some granularity to the mix by capturing whether exploitation requires certain conditions.<\/p>\n<p>User Interaction is another example. While the possible values for this metric are more granular in v4 than v3.1 (which has only None or Required), the distinction between Passive (limited and involuntary interaction) and Active (specific and conscious interaction) arguably fails to reflect the wide range of social engineering which occurs in the real world, not to mention the complexity added by security controls. For instance, persuading a user to open a document (or just view it in the Preview Pane) is in most cases easier than persuading them to open a document, then disable Protected View, then ignore a security warning.<\/p>\n<p>In fairness, CVSS must walk a line between being overly granular (i.e., including so many possible values and variables that it would take an inordinate amount of time to calculate scores) and overly simplistic. Making the CVSS model more granular would complicate what\u2019s intended to be a quick, practical, one-size-fits-all guide to severity. That being said, it\u2019s still the case that important nuance may be missed \u2013 and the vulnerability landscape is, by nature, often a nuanced one.<\/p>\n<p>Some of the definitions in both the v3.1 and v4 specifications may also be confusing to some users. For instance, consider the following, which is provided as a possible scenario under the Attack Vector (Local) definition:<\/p>\n<p style=\"padding-left: 40px\"><em>\u201cthe attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), <strong>or through terminal emulation (e.g., SSH)<\/strong>\u201d <\/em>[emphasis added; in the v3.1 specification, this reads <strong><em>\u201cor remotely (e.g., SSH)\u201d<\/em><\/strong>]<\/p>\n<p>Note that the use of SSH here appears to be distinct from accessing a host on a local network via SSH, as per the Adjacent definition:<\/p>\n<p style=\"padding-left: 40px\"><em>\u201cThis can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical (<strong>e.g., local IP subnet<\/strong>) network, or from within a secure or otherwise limited administrative domain\u2026\u201d <\/em>[emphasis added]<\/p>\n<p>While the specification does make a distinction between a vulnerable component being \u201cbound to the network stack\u201d (Network) or not (Local), this could be counterintuitive or confusing to some users, either when calculating CVSS scores or attempting to interpret a vector string. That\u2019s not to say these definitions are incorrect, only that they might be opaque and unintuitive to some users.<\/p>\n<p>Finally, Howland provides a real-world case study of, in their view, CVSS scores not taking context into account. CVE-2014-3566 (the <a href=\"https:\/\/nakedsecurity.sophos.com\/2014\/10\/16\/poodle-attack-takes-bytes-out-of-your-data-heres-what-to-do\/\" target=\"_blank\" rel=\"noopener\">POODLE vulnerability<\/a>) has a <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2014-3566\" target=\"_blank\" rel=\"noopener\">CVSS v3 score of 3.4 (Low)<\/a>. But it affected <a href=\"https:\/\/censys.io\/the-poodle-attack-and-tracking-sslv3-deployment\/\" target=\"_blank\" rel=\"noopener\">almost a million websites<\/a> at the time of disclosure, caused a significant amount of alarm, and impacted different organizations in different ways \u2013 which, Howland argues, CVSS does not take into account. There\u2019s also a separate context-related question \u2013 out of scope for this series \u2013 on whether media coverage and hype about a vulnerability disproportionately influence prioritization. Conversely, <a href=\"https:\/\/portswigger.net\/daily-swig\/cvss-system-criticized-for-failure-to-address-real-world-impact\" target=\"_blank\" rel=\"noopener\">some researchers have argued<\/a> that vulnerability rankings can be overly high because they don\u2019t always take context into account, when the real-world risk is actually relatively low.<\/p>\n<h2>\u2018We\u2019re just ordinally people\u2026\u2019<\/h2>\n<p>In v3.1, CVSS sometimes uses ordinal data as input into equations. Ordinal data is data on a ranked scale, with no known distance between items (e.g., None, Low, High), and, as <a href=\"https:\/\/resources.sei.cmu.edu\/asset_files\/WhitePaper\/2018_019_001_538372.pdf\" target=\"_blank\" rel=\"noopener\">researchers from Carnegie Mellon University point out<\/a>, it does not make sense to add or multiply ordinal data items. If, for instance, you\u2019re completing a survey where the responses are on a <a href=\"https:\/\/www.simplypsychology.org\/likert-scale.html\" target=\"_blank\" rel=\"noopener\">Likert scale<\/a>, it\u2019s meaningless to multiply or add those responses. To give a non-CVSS example, if you answer Happy [4.0] to a question about your salary, and Somewhat Happy [2.5] to a question about your work-life balance, you can\u2019t multiply those together and conclude that the overall survey result = 10.0 [\u2018Very happy with my job\u2019].<\/p>\n<p>The use of ordinal data also means that CVSS scores <a href=\"https:\/\/theoryof.predictable.software\/articles\/a-closer-look-at-cvss-scores\/\" target=\"_blank\" rel=\"noopener\">shouldn\u2019t be averaged<\/a>. If an athlete wins a gold medal in one event, for example, and a bronze medal in another, it doesn\u2019t make sense to say that on average they won silver.<\/p>\n<p>In v3.1, it\u2019s also not clear how the metrics\u2019 hardcoded numerical values were chosen, which may be one of the reasons for FIRST opting to eschew a formula in v4. Instead, v4\u2019s scoring system relies on grouping and ranking possible combinations of values, calculating a vector, and using a <a href=\"https:\/\/github.com\/FIRSTdotorg\/cvss-v4-calculator\/blob\/main\/cvss_lookup.js\" target=\"_blank\" rel=\"noopener\">lookup function<\/a> to assign a score. So, instead of a formula, experts selected by FIRST have determined the severity of different combinations of vectors during a consultation period. On the face of it, this seems like a reasonable approach, as it negates the issue of a formula altogether.<\/p>\n<h2>A black box?<\/h2>\n<p>While the specification, equations, and definitions for v3.1 and v4 are publicly available, some researchers have argued that CVSS suffers from <a href=\"https:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetid=538368\" target=\"_blank\" rel=\"noopener\">a lack of transparency<\/a>. In v4, for example, rather than plugging numbers into a formula, analysts can now look up a vector using a predetermined list. However, it\u2019s not clear how these experts were selected, how they compared \u201cvectors representing each equivalence set,\u201d or how the \u201cexpert comparison data\u201d was used \u201cto calculate the order of vectors from least severe to most severe.\u201d To our knowledge, this information has not been made public. As we\u2019ll see in Part 2 of this series, this issue is not unique to CVSS.<\/p>\n<p>As with anything in security, any results produced by a system in which the underlying mechanics are not fully known or understood should be treated with a degree of skepticism commensurate with the importance and nature of the purpose for which they\u2019re used \u2013 and with the level of associated risk if those results should prove to be wrong or misleading.<\/p>\n<h2>Capping it off<\/h2>\n<p>Finally, it may be worth wondering why CVSS scores are between 0 and 10 at all. The obvious answer is that this is a simple scale which is easy to understand, but it\u2019s also arbitrary, especially since the inputs to the equations are qualitative and CVSS is not a probability measure. In v3.1, the Minimum function ensures that scores are capped at 10 (without it, it\u2019s possible for a Base score to reach 10.73, at least by our calculations) \u2013 and in v4, the vectoring mechanism caps scores at 10 by design, because it\u2019s the highest \u2018bin.\u2019<\/p>\n<p>But is there a maximum extent to which a vulnerability can be severe? Are all vulnerabilities which score 10.0 equally bad? Likely this choice was made for human readability \u2013 but is it at the cost of an accurate and realistic representation of severity?<\/p>\n<h1>Conclusion<\/h1>\n<p>A quick, if imperfect, thought experiment: Imagine a scoring system that claims to measure the severity of biological viruses. The scores can tell you about the possible impact a virus might have on people, perhaps even something about the potential threat of the virus based on some of its characteristics (e.g., an airborne virus is likely to be a more widespread threat than a virus that can only be transmitted via ingestion or physical contact, albeit not necessarily a more severe one).<\/p>\n<p>After inputting information about the virus into an equation, the system generates a very easy-to-understand numerical score between 0 and 10. Parts of the healthcare sector use these scores to prioritize their responses to viruses, and some of the general public rely on them as an indicator of risk \u2013 even though that\u2019s not what the system\u2019s developers advise.<\/p>\n<p>But what the scores can\u2019t tell you is how a virus will impact you personally, based on your age, health, immune system efficiency, co-morbidities, immunity via previous infection, and so on. They can\u2019t tell you how likely you are to get infected, or how long it will take you to recover. They don\u2019t consider all of the viruses\u2019 properties (replication rate and ability to mutate, for instance, or geographic distribution of reservoirs and infections) or take wider context into account, such as whether there are vaccines or preventative measures available. As a result, some of the scores seem to make sense (HIV ranks higher than a common rhinovirus, for example), but others don\u2019t (poliovirus scores highly because of its possible impacts, despite being virtually eradicated in most of the world). And independent empirical research has shown that the system\u2019s scores are not helpful in predicting morbidity rates.<\/p>\n<p>So, should you rely solely on this system for conducting personal risk assessments \u2013 say, when deciding to attend a party, or go on holiday, or visit someone in hospital? Should the medical community rely on it to prioritize clinical research and epidemiological efforts?<\/p>\n<p>Intuitively, most people would likely have some doubts; it\u2019s clear that the system has some flaws. However, it\u2019s certainly not redundant. It\u2019s helpful for categorization, and for highlighting possible threats based on a virus\u2019s intrinsic properties, because its scores tell you something about the potential consequences of infection. It\u2019s useful, for example, to know that rabies is inherently more severe than chickenpox, even if you\u2019re unlikely to contract rabies on your next night out. You could certainly take this system\u2019s scores into account when conducting a risk assessment, in conjunction with other information. But you\u2019d also want more information.<\/p>\n<p>And, in fairness, <a href=\"https:\/\/www.first.org\/cvss\/v4.0\/faq\" target=\"_blank\" rel=\"noopener\">FIRST makes this point in its FAQ document for v4<\/a>. In discussing alternative scoring systems, it notes that they \u201ccan be used in concert to better assess, predict, and make informed decisions on vulnerability response priority.&#8221; In the next article, we\u2019ll discuss some of these other systems.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/12\/27\/prioritizing-patching-a-deep-dive-into-frameworks-and-tools-part-1-cvss\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/shutterstock_2501372697.jpg\"\/><\/p>\n<p><strong>Credit to Author: Matt Wixey| Date: Fri, 27 Dec 2024 17:33:53 +0000<\/strong><\/p>\n<p>In the first of a two-part series exploring tools and frameworks which can help organizations with remediation prioritization, Sophos X-Ops takes a look at the Common Vulnerability Scoring System (CVSS)<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[24784,12557,27030,16771],"class_list":["post-25616","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-cvss","tag-patching","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25616"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25616\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}